As more and more manufacturers begin to add communication and internet technology to their devices so the need for different kinds of security is increased.
A well-known car manufacturer is the latest to come unstuck when it comes to making sure that new functions on their vehicles come with security designed in. As technology increasingly moves into ever more devices it is vital that best security practise follows suit.
Many car makers now use mobile apps on phones to control aspects of the car. Along with keyless security these provide a new vector for thieves and hackers to exploit. These systems usually use a GSM module in the car to communicate with a cloud service. Your phone, and app, then communicate via that to talk to the car.
The problem with latest security hole was that the car provided its own Wi-Fi access point. Researchers used a brute force attack to crack the code within four days using a simple laptop. By spending about £1,000 on cloud computing power they could do this almost instantly.
This allowed them to switch off the car’s alarm system and control some other functions but not to start or drive the vehicle.
The Wi-Fi function would also allow a potential thief to track or geolocate the vehicle.
So they can find the car and then switch off its alarm. Once inside the vehicle thieves would have access to the car’s diagnostic port which provides yet another vector for possible attack.
There is nothing very shocking about this latest vulnerability – almost every car maker has now been caught out.
It is not just cars – security researchers have raised fears about increasing functions and vulnerabilities of other types of technology too – Internet of Things devices have been criticised for weak security.
Individually this might seem unimportant – there is limited harm can someone do from controlling a temperature sensor or from turning on my car’s lights.
But the lesson from enterprise security is that any weak point in a network will be exploited.
This is not just a problem for consumers. As businesses increasingly turn to the IoT technologies and rely on wireless technology so it needs to change the way it thinks security.
You need to think about security at the very start of any project, it needs to be designed in from the ground up, not just added on later.
But that is the beginning of the process, not the end.
Security is about thinking about new threats as well as responding to more familiar foes. It needs to be a circular system which accepts that attacks will happen and reacts to learn from those attacks in order to continually strengthen defences.
Security needs to move and change as quickly as the attackers do. That means looking forward as well as keeping a close eye on who and what is on your network already.